Configuring folder permission for users
The folder permission control feature provides the ability to configure different folder permissions for each user. This limits user-only access to and operations on authorized folders or "Shared directories". It also supports “path” mode when submitting jobs This feature avoids copying input files between different locations and uses the selected file or folder as an input file directly.
Configure the shared directory
An Administrator must configure the ShareDirectory node in $PMC_TOP/gui/conf/Repository.xml:
<?xml version="1.0" encoding="UTF-8"?>
<ParamConfs>
<Configuration>
<!-- AccessLimit: Flag for enabling folder permission control. Default is true. -->
<AccessLimit>true</AccessLimit>
<Repository>
<!-- User: Required. Sets the repository owner. Can be "all" or legal Linux user. -->
<User>all</User>
<!-- Path: Required. Sets the repository path to access. Can use system variable such as $HOME. -->
<Path>/home</Path>
</Repository>
<!--
<!--
ShareDirectory: Optional. Sets one or more shared directories to access.
Name: Optional. Sets the alias name for display.
Host: Optional. Sets the host name for accessing a remote host.
Path: Required. Sets the share path to access. Can use system variable such as $HOME.
ActionWrapper: Optional. Sets the script file used to access the folder.
-->
<ShareDirectory>
<Name>Alias</Name>
<Host>RemoteHost</Host>
<Path>/data/share</Path>
<ActionWrapper>/data/access.sh</ActionWrapper>
</ShareDirectory>
-->
</Configuration>
</ParamConfs>
Below is an example for an ActionWrapper script file. It uses expect to connect to a remote host via ssh automatically.
#!/usr/bin/expect
set cmd [lindex $argv 0]
set myhost "host2"
set myuser "user"
set mypass "pass"
# variable to use system variable in script
#set user "$env(USER)"
#set host "$env(HOSTNAME)"
spawn ssh $myuser@$myhost $cmd
expect {
"(yes/no)?" {
send "yes\n"
expect "*assword:"
send "$mypass\n"
}
"*assword:" {
send "$mypass\n"
}
}
expect eof
Configuring folder permissions for users and roles
- As an Administrator, go to .
- Expand the Permissions column.
- The Permissions column will show the folder path that was configured in
Repository.xml.
By default, the Application Center Administrator and Cluster Administrator roles have all permissions (View, Control, and Configure) for all the “Shared Directory” resources. Other roles have only View permission for “Shared Directory” resources.
- Edit the permissions for a “Shared Directory” resource for each role and individual
users.Note: IBM Spectrum LSF Application Center only checks permissions configured in the User Roles & Permissions page. It does not check the permissions at the OS level. Ensure the user has correct read/write permissions on the shared directory.
Using Shared Directories
After the ShareDirectory and Permissions are configured, IBM Spectrum LSF Application Center will limit access to only the folders that are configured in Repository.xml and limit authorized actions based on a user's permissions.
- page
- File browser pop-up windows in the Submission form page
- File browser pop-up windows in the Application template edit page
In the Data page and file browser pop-up windows, all the folders configured in Repository.xml are listed under Shared Directories if the user has view or greater permission. If there are multiple folders on the same host, those folders are grouped under a host node.
To support “path” mode, open the file $PMC_TOP/gui/conf/pmc.conf and change the value of the ADD_SERVER_FILE_TYPE parameter to path. In a Submission form, when selecting a server file, IBM Spectrum LSF Application Center uses this file directly instead of a copy or link to it.